In this blog post we will provide a few ideas on where to start auditing financial systems. Financial systems in this context are systems used for recording financial transactions including systems for making payments.

There are two key risks associated with financial systems:

  • Application integrity: Meaning applications don’t do what they meant to.
  • Application security: The application’s security system does not restrict access appropriately.

From an application integrity perspective probably the most important aspect to cover is completeness and accuracy of income being calculated in these systems. This is because income is fairly important in most company’s lives. Basic assurance over income can be achieved using data analytics and recalculation of income generated when processing transactions. In general, companies get the basics right as these system calculations are usually well tested, but audit findings in this area can have a real impact. A few issues I have seen in my career are:

  • Incorrect interest calculations, particularly in complex financial services billing models.
  • Incorrect billing of utility type services, such as when companies are selling mobile phone airtime. These companies also have complicated billing models, which are rife with inconsistencies.
  • Incomplete revenue recognition on subscription type models, particularly when client databases are not integrated with systems used for billing.

From an application security point of view, the most important area to cover is access to payment systems. I have seen several frauds in small, medium, and large corporates that are linked back to unnecessary access. The root cause of this problem is usually where access is accumulated and then not removed when an employee moves roles or leaves the company. A simple user review process can help mitigate this risk. It is important this user review covers all payments related systems. It is often surprising how many payment systems exist in most companies and keeping track of them can be challenging.

So that’s the first two things to start with when auditing financial systems, firstly recalculate revenue and secondly ensure that user reviews are taking place. You will cover a fair amount of the risks associated with these systems focusing on these two areas.